Predator spyware sold with Chrome, Android zero-day exploits to monitor targets

Or so says Google after tracking 30+ vendors peddling surveillance malware


Spyware vendor Cytrox sold zero-day exploits to government-backed snoops who used them to deploy the firm's Predator spyware in at least three campaigns in 2021, according to Google's Threat Analysis Group (TAG).

The Predator campaigns relied on four vulnerabilities in Chrome (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000 and CVE-2021-38003) and one in Android (CVE-2021-1048) to infect devices with the surveillance-ware. 

Based on CitizenLab's analysis of Predator spyware, Google's bug hunters believe that the buyers of these exploits operate in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, Indonesia, and possibly other countries.

"We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns," Google security researchers Clement Lecigne and Christian Resell wrote in a TAG update this month.

Cytrox, which is based in the Balkan state of North Macedonia, did not respond to The Register's request for comment.

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," the researchers wrote, adding that seven of the nine zero-day exploits that TAG discovered last year were developed by commercial vendors and sold to government-backed operators.

While NSO Group and its Pegasus spyware is perhaps the most notorious of these commercial providers, we're told that TAG is tracking more than 30 such software providers that possess "varying levels of sophistication." All of them are selling exploits or surveillance malware to governments for supposedly legitimate purposes.

Highly-targeted campaigns

The Predator campaigns were highly targeted to just tens of users hit, according to the Googlers. While the researchers didn't provide specifics about who these campaigns targeted, they do note that they've seen this sort of tech used against journalists in the past. Similarly, CitizenLab's analysis details Predator spyware being used against an exiled Egyptian politician and an Egyptian journalist.  

Each of the TAG-discovered campaigns delivered a one-time link via email that spoofed URL shortening services. Once clicked, these URLs directed the victims to an attacker-owned domain that delivered Alien, Android malware that loads the Predator spyware and performs operations for it.

"Alien lives inside multiple privileged processes and receives commands from Predator over IPC," Lecigne and Resell noted. "These commands include recording audio, adding CA certificates, and hiding apps."

The first campaign, which TAG detected in August 2021, used a Chrome vuln on Samsung Galaxy S21 devices. Opening the emailed link in Chrome triggered a logic flaw in the browser that forced the Samsung-supplied browser to open another URL. The content at that other URL likely exploited flaws in the Samsung browser to fetch and run Alien.

The security researchers surmise that the attackers didn't have exploits for the then-current version of Chrome (91.0.4472) and instead used n-day exploits against Samsung Browser, which was running an older version of Chromium. 

"We assess with high confidence this vulnerability was sold by an exploit broker and probably abused by more than one surveillance vendor," they wrote.

The second campaign, which TAG observed in September 2021, chained two exploits: an initial remote code execution and then a sandbox escape. It targeted an up-to-date Samsung Galaxy S10 running the latest version of Chrome.

"After escaping the sandbox, the exploit downloaded another exploit in /data/data/com.android.chrome/p.so to elevate privileges and install the Alien implant," according to Lecigne and Resell, adding that they haven't retrieved a copy of the exploit.

TAG analyzed one other campaign, a full Android exploit chain, targeting an up-to-date Samsung phone running the latest version of Chrome. It included a zero-day in JSON.stringify and a sandbox escape, which used a Linux kernel bug in the epoll() system call to gain sufficient privileges to hijack the device.

This particular Linux kernel bug, CVE-2021-1048, was fixed more than a year before the campaign. However, the commit was not flagged as a security issue, so the update wasn't backported to most Android kernels. All Samsung kernels remained vulnerable when the nation-state backed gangs carried out this exploit. ®


Other stories you might like

  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022